Microsoft Agent 365: The Enterprise Control Plane for AI Agents Explained
Deep dive into Microsoft Agent 365 (GA May 1, 2026) and how it serves as the control plane for observing, securing, and governing AI agents at enterprise scale.
The Enterprise Agent Problem
As enterprises move AI agents from pilots to production, a critical gap has emerged: who watches the agents? When you deploy 50 agents across HR, finance, IT, and customer service, you need answers to questions that no individual agent framework addresses. Which agents are running? What data are they accessing? Who authorized them? How do you revoke an agent's permissions when an employee leaves? What happens when an agent misbehaves?
Microsoft's answer is Agent 365 — a management and governance layer that sits above individual agent implementations and provides the same kind of control plane that Kubernetes provides for containers. Announced at Build 2025 and going GA on May 1, 2026, Agent 365 is Microsoft's bet that enterprise AI agent adoption will be gated by governance, not capability.
What Agent 365 Actually Is
Agent 365 is not an agent framework. It does not help you build agents (that is Copilot Studio's job). Instead, it is a control plane for managing agents that already exist. Think of it as Active Directory for AI agents — a centralized system for identity, access, policy, and observability.
The core capabilities:
1. Agent Registry and Discovery
Every agent in the organization is registered in Agent 365 with metadata: who built it, what it does, what tools it has access to, what data sources it can read, and who can invoke it. This creates an organizational catalog of AI capabilities.
// Registering an agent with Agent 365
// Using the Microsoft Graph Agent Management API
import { Client } from "@microsoft/microsoft-graph-client";
const graphClient = Client.init({
authProvider: (done) => {
done(null, accessToken);
},
});
// Register a new agent
const agentRegistration = await graphClient
.api("/agents/registrations")
.post({
displayName: "Accounts Payable Agent",
description: "Handles invoice matching, payment scheduling, and vendor inquiries",
owner: "finance-team@company.com",
classification: "business-critical",
dataAccess: [
{
resource: "sharepoint://finance/invoices",
permission: "read",
justification: "Reads invoices for matching against POs"
},
{
resource: "dynamics365://accounts-payable",
permission: "read-write",
justification: "Creates and updates payment records"
}
],
tools: [
{
name: "match_invoice_to_po",
riskLevel: "low",
description: "Read-only comparison of invoice to purchase order"
},
{
name: "schedule_payment",
riskLevel: "high",
description: "Initiates a financial transaction",
requiresApproval: true,
approvalChain: ["finance-manager@company.com"]
}
],
model: {
provider: "openai",
name: "gpt-5.4",
region: "us-east",
dataResidency: "us-only"
},
compliance: {
frameworks: ["SOX", "SOC2"],
auditRetention: "7-years",
piiHandling: "restricted"
}
});
console.log("Agent registered:", agentRegistration.id);
2. Policy Enforcement
Agent 365 allows security teams to define policies that apply across all agents in the organization. These policies are enforced at the platform level, not by individual agent implementations, which means an agent cannot bypass them even if its code does not implement the check.
// Define an organization-wide agent policy
const policy = await graphClient
.api("/agents/policies")
.post({
name: "Financial Transaction Controls",
scope: "all-agents",
rules: [
{
type: "tool-execution-approval",
condition: {
toolRiskLevel: "high",
transactionAmountGreaterThan: 10000
},
action: {
requireHumanApproval: true,
approverRole: "finance-manager",
timeoutMinutes: 60,
onTimeout: "deny"
}
},
{
type: "data-access-restriction",
condition: {
dataClassification: "confidential",
agentClassification: { not: "business-critical" }
},
action: {
deny: true,
logReason: "Non-critical agent attempted confidential data access"
}
},
{
type: "rate-limit",
condition: {
toolCategory: "external-api"
},
action: {
maxCallsPerMinute: 30,
maxCallsPerHour: 500,
onExceed: "throttle-and-alert"
}
},
{
type: "model-routing",
condition: {
dataContains: "PII"
},
action: {
requireModel: {
dataResidency: "same-region-as-user",
provider: ["azure-openai"] // No external model APIs for PII
}
}
}
]
});
3. Observability Dashboard
Agent 365 provides a unified observability dashboard that aggregates metrics, logs, and traces from all registered agents. Security teams can monitor agent activity in real-time, investigate incidents, and generate compliance reports.
The dashboard surfaces:
- Agent health: Which agents are running, their error rates, and latency percentiles
- Data access patterns: What data each agent accessed, when, and for which user
- Tool execution logs: Every tool call with inputs, outputs, and duration
- Anomaly detection: Unusual patterns like a sudden spike in data access or an agent calling tools it rarely uses
- Cost tracking: Token consumption and API costs per agent, per department, per user
4. Identity and Access Management
Each agent in Agent 365 gets a managed identity — similar to a service principal in Azure AD. This identity determines what the agent can access, and it can be scoped, rotated, and revoked just like an employee's credentials.
// Assign an identity to an agent
const identity = await graphClient
.api("/agents/registrations/{agentId}/identity")
.post({
type: "managed-identity",
permissions: [
{
resource: "microsoft.graph/users",
scope: "User.Read.All",
justification: "Look up employee details for HR queries"
},
{
resource: "microsoft.graph/mail",
scope: "Mail.Send",
justification: "Send notification emails on behalf of users",
constraints: {
recipientDomain: "company.com", // Internal only
maxPerDay: 100
}
}
],
lifecycle: {
createdBy: "admin@company.com",
expiresAt: "2026-12-31T23:59:59Z",
reviewFrequency: "quarterly",
nextReview: "2026-06-30T00:00:00Z"
}
});
Architecture: How Agent 365 Integrates
Agent 365 operates as a sidecar or proxy layer. Agents do not need to be rewritten to work with it. Instead, Agent 365 intercepts agent-to-tool and agent-to-data communications through its proxy, applies policies, logs activity, and forwards approved requests.
// Agent 365 integration via the Agent Gateway SDK
// This wraps your existing agent's tool calls with policy enforcement
import { AgentGateway } from "@microsoft/agent-365-sdk";
const gateway = new AgentGateway({
agentId: "ap-agent-001",
tenantId: process.env.AZURE_TENANT_ID,
policyEndpoint: "https://agent365.company.com/policies"
});
// Wrap your tool execution with the gateway
async function executeToolWithGovernance(
toolName: string,
args: Record<string, unknown>,
userContext: { userId: string; sessionId: string }
): Promise<unknown> {
// Step 1: Check policy before execution
const policyCheck = await gateway.checkPolicy({
tool: toolName,
arguments: args,
user: userContext.userId,
session: userContext.sessionId
});
if (policyCheck.denied) {
throw new Error(
"Policy denied: " + policyCheck.reason
);
}
if (policyCheck.requiresApproval) {
// Request human approval
const approval = await gateway.requestApproval({
tool: toolName,
arguments: args,
approver: policyCheck.approver,
timeout: policyCheck.timeoutMinutes
});
if (!approval.approved) {
throw new Error("Approval denied by " + approval.reviewer);
}
}
// Step 2: Execute the tool
const startTime = Date.now();
let result: unknown;
let error: string | null = null;
try {
result = await actualToolExecution(toolName, args);
} catch (e) {
error = (e as Error).message;
throw e;
} finally {
// Step 3: Log execution for audit
await gateway.logExecution({
tool: toolName,
arguments: args,
result: error ? null : result,
error,
durationMs: Date.now() - startTime,
user: userContext.userId,
session: userContext.sessionId,
timestamp: new Date().toISOString()
});
}
return result;
}
Agent Lifecycle Management
Agent 365 treats agents as first-class organizational resources with a defined lifecycle: creation, approval, deployment, monitoring, review, and decommissioning. This lifecycle mirrors how enterprises manage software applications but adds AI-specific concerns.
See AI Voice Agents Handle Real Calls
Book a free demo or calculate how much you can save with AI voice automation.
Creation: An agent is defined with its capabilities, data access requirements, and risk classification. The definition goes through an approval workflow that may involve security, compliance, and the data owners.
Deployment: Once approved, the agent receives its managed identity and is registered in the catalog. Policies are applied based on its classification and the data it accesses.
Monitoring: Agent 365 continuously monitors the agent's behavior against its registered capabilities. If the agent starts accessing data or calling tools that were not in its registration, an alert fires.
Review: On a configurable schedule (typically quarterly), agents undergo a review similar to an access review for human employees. Reviewers verify that the agent still needs its permissions and that its behavior aligns with its purpose.
Decommissioning: When an agent is retired, Agent 365 revokes its identity, archives its logs, and removes it from the catalog. Any downstream systems that depended on the agent are notified.
Practical Adoption Path
For enterprises looking to adopt Agent 365, here is the recommended phased approach:
Phase 1 — Inventory (Week 1-2): Catalog all existing AI agents and chatbots in the organization. Many enterprises discover they have 3-5x more agents than they thought, built by individual teams without central oversight.
Phase 2 — Classify (Week 3-4): Classify each agent by risk level based on what data it accesses and what actions it can take. An agent that reads public FAQs is low risk. An agent that can modify financial records is high risk.
Phase 3 — Register (Week 5-8): Register all agents in Agent 365 with accurate metadata. Start with high-risk agents to get immediate governance value.
Phase 4 — Policy (Week 9-12): Define and enforce organization-wide policies. Start with broad policies (data access controls, rate limits) and refine based on observed behavior.
Phase 5 — Operationalize (Ongoing): Integrate Agent 365 into your incident response, change management, and access review processes.
FAQ
Does Agent 365 work with non-Microsoft AI agents?
Yes. Agent 365 is model-agnostic and framework-agnostic. It works with agents built on OpenAI, Anthropic, Google, or open-source models. The governance layer operates at the tool-call and data-access level, which is independent of the underlying model. You integrate via the Agent Gateway SDK, which wraps your tool execution calls regardless of what framework or model powers the agent.
How does Agent 365 handle agents that span multiple departments?
Cross-department agents require joint ownership in Agent 365. Each department's data owners must approve the agent's access to their resources. The policy engine supports multi-stakeholder approval workflows, where different approvers are required for different data access requests within the same agent. This is similar to how cross-department applications work in traditional IT governance.
What is the performance overhead of Agent 365 policy checks?
Policy checks add approximately 15-30ms per tool call for in-memory policy evaluation and 50-100ms when human approval is required (just the queueing, not the wait for approval). For most agent workloads, where model inference takes 200-3000ms per call, this overhead is negligible. The SDK supports async policy evaluation so that multiple tool calls can be checked in parallel.
Can Agent 365 prevent hallucination or ensure factual accuracy?
Agent 365 focuses on governance (who can do what) rather than quality (is the answer correct). However, you can define output policies that route responses through factuality-checking agents or require human review for certain response categories. The platform provides the enforcement mechanism; you define the quality standards as policies. For factuality, most enterprises combine Agent 365 governance with framework-level guardrails like those in the OpenAI Agents SDK.
Written by
CallSphere Team
Expert insights on AI voice agents and customer communication automation.
Try CallSphere AI Voice Agents
See how AI voice agents work for your industry. Live demo available -- no signup required.